Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM: Flaky crash in VisitPointersPredefined on co19_2/Language/Classes/method_definition_t10 #37544

Closed
alexmarkov opened this issue Jul 16, 2019 · 2 comments
Closed

VM: Flaky crash in VisitPointersPredefined on co19_2/Language/Classes/method_definition_t10 #37544

alexmarkov opened this issue Jul 16, 2019 · 2 comments
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. gardening type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@alexmarkov
Copy link
Contributor

Can be reproduced on mac:

tools/build.py -m release -a x64 runtime
tools/test.py -n dartk-mac-release-x64 --repeat 1000 co19_2/Language/Classes/method_definition_t10

  DART_CONFIGURATION=ReleaseX64 xcodebuild/ReleaseX64/dart --ignore-unrecognized-flags --packages=/b/s/w/ir/.packages /b/s/w/ir/tests/co19_2/src/Language/Classes/method_definition_t10.dart
  exit code:
  -6
  stderr:
  Class Id: 0
  ../../runtime/vm/raw_object.cc: 322: error: unreachable code
  version=2.5.0-edge.d0cb753ebdb350c30158cfb526c0bbdf5257c144 (Mon Jul 15 17:09:06 2019 +0000) on "macos_x64"
  thread=5635, isolate=main(0x7ffcf7017e00)
    pc 0x000000010c25e944 fp 0x0000700001f8cbd0 dart::Profiler::DumpStackTrace(void*)
    pc 0x000000010bf583d2 fp 0x0000700001f8ccb0 dart::Assert::Fail(char const*, ...)
    pc 0x000000010c274d0e fp 0x0000700001f8cd00 dart::RawObject::VisitPointersPredefined(dart::ObjectPointerVisitor*, long)
    pc 0x000000010c4a1c9f fp 0x0000700001f8cd30 dart::Scavenger::VisitObjectPointers(dart::ObjectPointerVisitor*) const
    pc 0x000000010c497e4a fp 0x0000700001f8cdc0 dart::GCMarker::IterateRoots(dart::ObjectPointerVisitor*)
    pc 0x000000010c499fad fp 0x0000700001f8ce50 dart::ParallelMarkTask::Run()
    pc 0x000000010c2fcebf fp 0x0000700001f8ce80 dart::ThreadPool::Worker::Loop()
    pc 0x000000010c2fcd62 fp 0x0000700001f8cec0 dart::ThreadPool::Worker::Main(unsigned long)
    pc 0x000000010c25ae8f fp 0x0000700001f8cef0 dart::ThreadStart(void*)
    pc 0x00007fff5c459661 fp 0x0000700001f8cf20 _pthread_body
    pc 0x00007fff5c45950d fp 0x0000700001f8cf50 _pthread_body
    pc 0x00007fff5c458bf9 fp 0x0000700001f8cf78 thread_start
  -- End of DumpStackTrace
  --- Re-run this test:
  python tools/test.py -n dartk-mac-release-x64 co19_2/Language/Classes/method_definition_t10

Appeared 2 times per 1000 iterations.

/cc @rmacnak-google @mkustermann
@alexmarkov alexmarkov added area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) gardening crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. labels Jul 16, 2019
@alexmarkov
Copy link
Contributor Author

This can be also reproduced on Linux.

@rmacnak-google
Copy link
Contributor

Using rr with watchpoints, I see that the header was overridden by a bad offset in a StoreInstanceField instruction

file:///usr/local/google/home/rmacnak/dart1/sdk/tests/co19_2/src/Language/Classes/method_def\
inition_t10.dart_A_A.
...
        ;; GuardFieldLength:14(_x@19443451 <?>, t2)
0x7f023932cbee    58                     pop rax
0x7f023932cbef    498b4f1f               movq rcx,[pp+0x1f]   Field <A._x@19443451>: final
0x7f023932cbf3    480fbe515f             movsxbq rdx,[rcx+0x5f]
0x7f023932cbf8    488b5937               movq rbx,[rcx+0x37]
0x7f023932cbfc    4883fa00               cmpq rdx,0
0x7f023932cc00    0f8824000000           js 0x00007f023932cc2a
0x7f023932cc06    483b1c10               cmpq rbx,[rax+rdx*1]
0x7f023932cc0a    0f841a000000           jz 0x00007f023932cc2a
0x7f023932cc10    51                     push rcx
0x7f023932cc11    50                     push rax
0x7f023932cc12    498b9e80030000         movq rbx,[thr+0x380]
0x7f023932cc19    41ba02000000           movl r10,2
0x7f023932cc1f    41ff9680010000         call [thr+0x180]
0x7f023932cc26    415b                   pop r11
0x7f023932cc28    415b                   pop r11
        ;; StoreInstanceField(t0 . _x@19443451 = t1, barrier removed)
0x7f023932cc2a    415b                   pop r11
0x7f023932cc2c    58                     pop rax
0x7f023932cc2d    48c740ff00000000       movq [rax-0x1],0    <<<<<<<<<< stores to header instead of first field

dart-bot pushed a commit that referenced this issue Jul 18, 2019
@rmacnak-google
[vm] Guard against double finalization from annotations on fields.
6312030 
Bug: #37544
Change-Id: Ie3620dd9adf8382afc018cf764965b4ff74d2b75
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/109440
Reviewed-by: Alexander Markov <alexmarkov@google.com>
Commit-Queue: Ryan Macnak <rmacnak@google.com>
@alexmarkov alexmarkov mentioned this issue Jul 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. gardening type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmacnak-google @alexmarkov